b"TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    Computer System Access Controls Over\n                      Contractors Need to Be Improved\n\n\n\n                                         July 24, 2009\n\n                            Reference Number: 2009-20-108\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review\n process and information determined to be restricted from public release has been redacted from\n                                          this document.\n\n Redaction Legend:\n 3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                            July 24, 2009\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Computer System Access Controls Over\n                             Contractors Need to Be Improved (Audit # 200820015)\n\n This report presents the results of our review to determine whether the Internal Revenue\n Service (IRS) established and implemented effective computer access controls over contractors\n that have been hired to develop, operate, and maintain IRS computer systems. This review was\n included in the Treasury Inspector General for Tax Administration Fiscal Year 2008 Annual\n Audit Plan as part of the statutory requirements to annually review the adequacy and security of\n IRS information technology.\n\n Impact on the Taxpayer\n The IRS uses contractors to perform a variety of information technology functions, such as\n developing applications for IRS business operations and maintaining computer operations. To\n perform these functions, contractors are granted access to IRS computer systems. However,\n some contractors who no longer had a business need to have access had active user accounts on\n IRS systems. When contractors are allowed to have unnecessary access to computer systems, the\n IRS is increasing the risks of exposing taxpayer data to unauthorized disclosure and disruption of\n system operations.\n\x0c                                               Computer System Access Controls\n                                              Over Contractors Need to Be Improved\n\n\n\n\n         Synopsis\n        We have previously reported] problems with contractors' access to IRS computer systems. The\n        underlying theme of the problems is the IRS' inability to effectively control contractor access to\n        its computer systems. One of the fundamental principles for effective computer security is\n        restricting system access to only those systems for which individuals, including contractors, have\n        a business need. The IRS has specific security policies and procedures governing access by\n        employees and contractors to computer systems and taxpayer data.\n        Despite the IRS' policies and procedures and our previous reports of inadequate oversight of\n        contractor access to IRS computer systems, we identified system access control issues for\n        contractors. From a sample of7 IRS systems, we found that 53 of 376 contractors had active\n        user accounts but did not have a business need for access to that system. These 53 contractors\n        consisted of contractors whose job duties or access privileges had changed and no longer needed\n        system access, contractors who had separated from the contract with the IRS, and contractors\n        who had never logged onto the system or had not logged onto the system within 45 calendar\n        days. We also identified 15 contractors whose system access was not deleted in a timely manner\n        upon separation from the contract with the IRS. These contractors' accesses were not removed\n        from systems in a timely manner because responsible officials were not following security\n        procedures and relied on systemic solutions to disable and delete user access to systems based on\n        inactivity. Also, managers and Contracting Officer's Technical Representatives 2 did not provide\n        the necessary oversight of reviewing access privileges and notifying system owners when\n        contractors no longer needed access.\n        We also identified 12 system development contractors who had access to the production\n3(d)    environment of the system on which they worked and 39 system administration contractors who\n        had database administrator privileges. I\n\n\n                I Lastly, we found system accesses were not always authorized, documented, or\n       '----------,-d\n        recertified in a timely manner, and system accesses were granted prior to a background\n        investigation being completed. We believe managers and security officers did not carry out their\n        security roles and responsibilities over system access.\n\n\n\n\n        I InsuffiCient Contractor Oversight Put Data and EqUipment at Risk (Reference Number 2004-20-Q63, dated\n        March 22, 2004) and Monitoring ojPRllvfE Contractor Access to Networks and Data Needs to Be Improved\n        (Reference Number 2005-20-185, dated September 29,2005).\n        2 Contracting Officer's Technical Representatives furnish technical direction, monitor contract performance, and\n        maintain an arm's-length relationship with the contractor.\n\n                                                                                                                           2\n\x0c                                 Computer System Access Controls\n                                Over Contractors Need to Be Improved\n\n\n\n\nRecommendations\nWe recommended that the Chief Technology Officer 1) provide appropriate communications to\nall Contracting Officer\xe2\x80\x99s Technical Representatives and managers reinforcing the need to ensure\nthat system accesses are revoked when contractors leave the IRS and that separation of duties is\nfollowed, 2) enforce current procedures on all systems by configuring systems to automatically\ndisable and/or delete user accounts when they are not accessed for the appropriate number of\ndays, 3) provide appropriate communications to all Contracting Officer\xe2\x80\x99s Technical\nRepresentatives and managers to remind them that they have the primary responsibility for\nproviding prompt notification to the responsible organization of any contractor status changes,\n4) provide appropriate communications to Contracting Officer\xe2\x80\x99s Technical Representatives and\nmanagers that the Online 5081 system is the primary system used for authorizing and approving\nrequests for any system access and that system access should not be granted until a contractor or\nemployee has successfully completed a background investigation, and 5) improve accountability\nover employee and manager adherence with security policies and procedures over contractor\nsystem access.\n\nResponse\nIRS management agreed with the recommendations. The Modernization and Information\nTechnology Services Cybersecurity organization will coordinate with the Agency-Wide Shared\nServices Contractor Oversight Group to develop and deliver appropriate communications content\nto Contractor Officer\xe2\x80\x99s Technical Representatives and managers that will 1) remind them of the\nnotification responsibility, including annually reviewing access privileges to verify the continued\nneed for access and, in accordance with existing IRS policy, suspending, cancelling, and/or\nadjusting contractor system access privileges; 2) address that after 45 calendar days have passed\nand the user is not recertified, procedures will be implemented to disable and remove or securely\nincapacitate the user account and access privileges; and 3) remind them of their obligation, in\naccordance with existing IRS policy, to separate contractors who do not adhere to security\npolicies and procedures governing system access within 45 calendar days. Also, the\nModernization and Information Technology Services organization will enforce system\nconfiguration settings to automatically disable contractors\xe2\x80\x99 accounts after 45 calendar days of\ninactivity and will ensure accounts that are inactive for more than 90 calendar days are deleted or\nsecurely incapacitated based on the technical capabilities and requirements of each system and\nplatform. Management\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services), at (202) 622-8510.\n\n                                                                                                 3\n\x0c                                            Computer System Access Controls\n                                           Over Contractors Need to Be Improved\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 2\n          Contractors Had Unnecessary Access to Computer Systems .......................Page 2\n                    Recommendations 1 through 3:...........................................Page 5\n\n          Compliance With Security Requirements Could Be Improved\n          for Contractors Who Have a Business Need for System Access..................Page 6\n                    Recommendations 4 and 5: ................................................Page 8\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 9\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 11\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 12\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 13\n\x0c            Computer System Access Controls\n           Over Contractors Need to Be Improved\n\n\n\n\n               Abbreviations\n\nCOTR     Contracting Officer\xe2\x80\x99s Technical Representative\nIRS      Internal Revenue Service\nMITS     Modernization and Information Technology Services\nOL5081   Online 5081\n\x0c                                     Computer System Access Controls\n                                    Over Contractors Need to Be Improved\n\n\n\n\n                                           Background\n\nThe Internal Revenue Service (IRS) relies extensively on contractors to provide information\ntechnology services and systems. These contractors perform a variety of information technology\nfunctions for the IRS, such as developing applications for business operations and maintaining\ncomputer operations. To perform these functions, contractors are granted access to IRS\ncomputer systems.\nWe have previously reported problems with contractors\xe2\x80\x99 access to IRS computer systems. In\nMarch 2004, we reported 1 that contractors were not complying with IRS security procedures and\nIRS Procurement function officials were not aware of the security regulations pertaining to the\ncontractors they were assigned to oversee. In September 2005, we conducted a followup review 2\nand identified that Procurement function officials were still not fulfilling their responsibilities\nrelated to granting contractors access to IRS systems. We identified more than 1,000 contractors\nwho were no longer working for the IRS that could still sign on to IRS systems.\nThe underlying theme of these problems is the IRS\xe2\x80\x99 inability to effectively control contractor\naccess to its computer systems. One of the fundamental principles for effective computer\nsecurity is restricting system access to only those systems and applications for which individuals,\nincluding contractors, have a business need. This concept of need-to-know and least privilege\nincludes having appropriate persons authorize system access, having program managers and\nsystems owners monitor system access to ensure access is still needed based on job\nresponsibilities, and removing system access when the need no longer exists.\nThis review was performed at the IRS National Headquarters in New Carrollton, Maryland, and\nin Modernization and Information Technology Services (MITS) organization field offices\nlocated in Atlanta, Georgia; Cincinnati, Ohio; Memphis, Tennessee; and Austin, Texas, during\nthe period July 2008 through March 2009. We conducted this performance audit in accordance\nwith generally accepted government auditing standards. Those standards require that we plan\nand perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for\nour findings and conclusions based on our audit objective. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjective. Detailed information on our audit objective, scope, and methodology is presented in\nAppendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n1\n  Insufficient Contractor Oversight Put Data and Equipment at Risk (Reference Number 2004-20-063, dated\nMarch 22, 2004).\n2\n  Monitoring of PRIME Contractor Access to Networks and Data Needs to Be Improved (Reference\nNumber 2005-20-185, dated September 29, 2005).\n                                                                                                          Page 1\n\x0c                                      Computer System Access Controls\n                                     Over Contractors Need to Be Improved\n\n\n\n\n                                      Results of Review\n\nContractors Had Unnecessary Access to Computer Systems\nThe IRS has specific security policies and procedures governing access by employees and\ncontractors to computer systems and taxpayer data. However, our review identified two areas\nwhere contractors had unnecessary access to IRS computer systems and taxpayer data.\n\nContractors had active user accounts, but did not have a business need\nThe IRS has access control procedures and requirements that pertain to both IRS employees and\ncontractors. These procedures include granting system access when the business need exists,\napplying the principles of need-to-know and least privilege, and taking away system access when\nthe business need no longer exists. As a further control, the IRS requires disabling system access\nwhen no access has occurred within 45 calendar days and removing system access when no\naccess has occurred within 90 calendar days.\nContractors are also subjected to further scrutiny from the Contracting Officer\xe2\x80\x99s Technical\nRepresentative (COTR), 3 who is responsible for the contract under which the contractor was\nhired to work. The COTR\xe2\x80\x99s duties include initiating access privileges for contractors, reviewing\naccess privileges annually to verify the continued need for access, and notifying system owners\nin a timely manner when contractors no longer need access.\nDespite these procedures, we identified contractors with active user accounts on IRS systems\nwho no longer had a business need for that access. For a sample of 7 IRS systems, we identified\nthat 53 (14 percent) of 376 contractors had active user accounts but did not have a business need\nfor access to that system. We also identified five duplicate active user accounts for contractors\non the systems we reviewed. The 53 contractors with active user accounts fell into the following\nexception categories: 4\n    \xe2\x80\xa2   Job duties or access privileges changed and system access was no longer needed\n        (35 contractors). System owners and program managers were unaware of these\n        situations when they occurred. COTRs did not know of the change in job duties or did\n        not share the information with system owners or program managers.\n\n\n\n\n3\n  COTRs furnish technical direction, monitor contract performance, and maintain an arm\xe2\x80\x99s-length relationship with\nthe contractor.\n4\n  The total number of exceptions is more than 53 because 4 contractors fell into more than 1 category.\n                                                                                                          Page 2\n\x0c                                Computer System Access Controls\n                               Over Contractors Need to Be Improved\n\n\n\n   \xe2\x80\xa2   Separated from the contract with the IRS (five contractors). Of particular concern, we\n       found that 3 of the 5 separated contractors left the IRS in May 2006, and the accounts\n       were active and not used for more than 850 days. The IRS was unable to provide us any\n       information on the separation dates for the other two contractors.\n   \xe2\x80\xa2   Never logged onto the system or had not logged onto the system within 45 calendar days\n       (17 contractors). This condition suggests that the contractors never needed access to the\n       system in the first place or a change in needed access had occurred. Again, system\n       owners and program managers were unaware of these situations, and COTRs did not\n       know of the change in job duties or did not share the information with system owners or\n       program managers.\nIn addition to contractors who had active system access with no business need, we identified\n15 contractors whose system access was not deleted in a timely manner upon their separation\nfrom the IRS. The delays in removing system access ranged from 4 to 53 calendar days.\nThese contractors\xe2\x80\x99 accesses were not removed from systems in a timely manner because\nresponsible officials were not following security procedures and relied on systemic solutions to\ndisable and delete user access to systems based on inactivity. However, the automated programs\nto identify user accounts with inactivity were either not being run regularly or did not work as\nintended. Also, managers and COTRs did not provide the necessary oversight of reviewing\naccess privileges and notifying system owners when contractors no longer needed access.\n\nContractors had excess privileges that violated separation of duties rules\nSeparation of duties is an organizational principle that provides process integrity while\nmaintaining proper security and quality controls. IRS security policy states that system and\napplication software development, testing, and debugging must be performed on information\nsystems dedicated for these purposes and not on production information systems. To ensure\nproper separation of duties, system developers should not have access to the system\xe2\x80\x99s production\nenvironment. This separation ensures that system developers cannot make changes on\nproduction systems that have gone through rigorous testing and authorization to operate.\nDevelopers who have access to the production system could bypass strict configuration\nmanagement requirements and make unapproved and untested changes. In addition, system\nadministrators should not have database administrator privileges. While system administrators\nare responsible for the configuration and day-to-day operations of the system, the database\nadministrators are responsible for the security, maintenance, and backup of the database\nrepositories. This separation ensures the integrity of the data and that any unauthorized changes\nto the data can be detected.\nWe identified 12 system development contractors who had access to the production environment\nof the system on which they worked and 39 system administration contractors who had database\nadministrator privileges. We were unable to determine how long these contractors had\n\n                                                                                          Page 3\n\x0c                                               Computer System Access Controls\n                                              Over Contractors Need to Be Improved\n\n\n\n       unnecessary access to IRS production systems because we could not determine when these\n       accounts were created, when contractors were given system access, or when user access\n       privileges were granted or changed.\n\n3(d)                        n environment access issue\n\n                              For the database administrator access issue,\n\n3(d)\n       Two other factors have heightened our concerns about the access control deficiencies over\n       contractors.\n           1. While we did not identify any questionable activity or wrongdoing by contractors who no\n              longer had a business need for system access, our attempts to evaluate their activities\n              were hampered by the lack of reviewable audit traiP data for the systems we reviewed.\n              We referred this issue to an ongoing Treasury Inspector General for Tax Administration\n              review over audit trails. Without the ability to monitor contractor system activities, the\n              IRS is placed in the precarious position of relying on access controls as the sole means to\n              ensure that contractors are accessing only the systems and data they require to do their\n              jobs.\n           2. The IRS does not have an effective centralized system or method of identifying all\n              contractors working within the IRS. This lack of accountability has hampered the IRS'\n              ability to monitor contractors and control their computer system access. While the IRS\n              has formed a committee to implement a central tracking process for contractors, the\n              processis not in place and implementation efforts have encountered difficulties.\n       When contractors are allowed to have unnecessary access to IRS systems and taxpayer data, the\n       IRS is increasing the risks of exposing taxpayer data to unauthorized disclosure and disruption of\n       system operations. All seven computer systems in our review contain taxpayer data, including\n       taxpayer correspondence; current, past, and questionable tax returns; delinquent taxpayer\n       accounts; and fuel transaction information on billing and vehicle registration.\n       To illustrate these risks, several news outlets published a January 2009 news story relating to a\n       former Federal National Mortgage Association (Fannie Mae) information technology contractor\n       who was indicted for installing a malicious computer program that would have caused millions\n       of dollars of damage and reduced, if not shutdown, operations at the mortgage giant. The\n       malicious program would have disabled monitoring alerts and logins, deleted root passwords to\n       4,000 servers, and erased all data and backup data on those servers by overwriting them with\n       zeros. However, the malicious program was discovered by an employee 5 days after it was\n\n\n       5 An audit trail is a chronological record of activities that allow for the reconstruction, review, and examination of a\n       transaction from inception to final results. Audit trails can be used to detect unauthorized accesses to computer\n       networks.\n                                                                                                                        Page 4\n\x0c                                 Computer System Access Controls\n                                Over Contractors Need to Be Improved\n\n\n\ninstalled, and no actual harm occurred. The contractor was able to install the malicious program\nbecause his system access privileges were not revoked as soon as he was terminated from his\nposition. An equally disturbing possible outcome, as noted in comments from a reader to one of\nthe online news articles, was that the contractor could have stolen critical customer data for the\npurpose of monetary gain instead of attempting to disrupt computer operations.\n\nRecommendations\nThe Chief Technology Officer should:\nRecommendation 1: Provide appropriate communications to all COTRs and managers\nreinforcing the need to ensure appropriate system accesses are revoked when contractors leave\nthe IRS and contractors\xe2\x80\x99 duties no longer require system access, and that separation of duties is\nfollowed to ensure that contractors do not have access to both development and production\nsystem environments and do not have both system and database administrator privileges.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The MITS\n       Cybersecurity organization will coordinate with the Agency-Wide Shared Services\n       Contractor Oversight Group to develop and deliver appropriate communications content\n       to COTRs.\nRecommendation 2: Enforce current procedures on all systems by configuring systems to\nautomatically disable contractors\xe2\x80\x99 accounts after 45 calendar days of inactivity and to delete the\naccounts after 90 calendar days of inactivity.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The MITS\n       organization will enforce system configuration settings to automatically disable\n       contractors\xe2\x80\x99 accounts after 45 calendar days of inactivity and will ensure that accounts\n       that are inactive for more than 90 calendar days are deleted or securely incapacitated\n       based on the technical capabilities and requirements of each system and platform.\n       Securely incapacitating accounts will effectively delete all access capability while\n       retaining account background information. Current procedures will be reviewed and\n       updated to ensure that the associated technical configurations are appropriately\n       documented.\nRecommendation 3: Provide appropriate communications to all COTRs and managers to\nremind them that they have the primary responsibility for providing prompt notification to the\nresponsible organization of any contractor status changes, including annually reviewing access\nprivileges to verify the continued need for access. The responsible organization should\nimmediately suspend, cancel, and/or adjust all access privileges associated with changes in a\ncontractor\xe2\x80\x99s status.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The MITS\n       Cybersecurity organization will coordinate with the Agency-Wide Shared Services\n\n                                                                                            Page 5\n\x0c                                Computer System Access Controls\n                               Over Contractors Need to Be Improved\n\n\n\n       Contractor Oversight Group to provide appropriate communications to COTRs and\n       managers reminding them of this notification responsibility, including annually reviewing\n       access privileges to verify the continued need for access and, in accordance with existing\n       IRS policy, suspend, cancel, and/or adjust contractor system access privileges.\n\nCompliance With Security Requirements Could Be Improved for\nContractors Who Have a Business Need for System Access\nThe IRS has specific procedures and requirements for authorizing system access for employees\nand contractors. Our review identified two areas where access authorization controls over\ncontractors can be improved.\n\nSystem accesses were not always authorized, documented, or recertified in a\ntimely manner\nProviding contractors access to IRS computer systems starts with the system access authorization\nprocess. The IRS established the Information System User Registration/Change Request\n(Form 5081) for managers to request and authorize employee and contractor access for all IRS\nsystems, including development and production systems. System administrators are responsible\nfor adding and removing authorized system users and maintaining an up-to-date list of\nauthorized users. In October 2002, the IRS automated the system authorization process with the\nOnline 5081 (OL5081) system. The OL5081 system also provides documentation information\non a contractor\xe2\x80\x99s certification that he or she understands the IRS security rules over computer\nusage and on the manager\xe2\x80\x99s annual recertification of the contractor\xe2\x80\x99s continued system access\nand need-to-know.\nThe IRS also established other complementary security controls. Managers are required to\nannually review users\xe2\x80\x99 accounts and profiles, including a review of the access level,\nconformance with the principle of least privilege, and current management authorizations.\nEven though clear security policies and procedures have been established, we identified that\n46 (12 percent) of 376 contractor accounts did not have proper authorization for system access\non the OL5081 system. We were also unable to find paper copies of approved authorizations\nfrom the contractors\xe2\x80\x99 current managers or COTRs. Twenty-four of the 46 contractor accounts\nare associated with a development system, which operated with live taxpayer data and had not\nreceived an approved waiver to operate in this condition.\nFor one development system, the IRS manager over the system informed us that, because it was\na development system, access was granted using email instead of using the OL5081 system. For\nthe other systems without the Form 5081 information, we were unable to determine how these\ncontractors obtained access to the systems. We believe that managers either did not carry out\ntheir responsibilities to follow approved system access authorization processes or system\nadministrators may have added contractors to systems without a manager\xe2\x80\x99s authorization. The\n\n                                                                                          Page 6\n\x0c                                     Computer System Access Controls\n                                    Over Contractors Need to Be Improved\n\n\n\nIRS confirmed that those contractors needing access to IRS systems were in the process of\ncompleting system access authorization.\nWe also identified 39 (21 percent) of 187 6 contractor accounts that were not recertified in a\ntimely manner by a manager to indicate that the contractors had a continued need for system\naccess. We were informed that contractor system accesses were not recertified in a timely\nmanner because:\n    \xe2\x80\xa2   Managers were busy and did not have time to recertify the contractor\xe2\x80\x99s continued system\n        access and need-to-know.\n    \xe2\x80\xa2   A transition in managers caused confusion over which manager should do the\n        recertification.\n    \xe2\x80\xa2   Managers were uncertain whether there was still a business need for system access and\n        required more time to make a determination.\n    \xe2\x80\xa2   Managers of contractors whose access were granted using a paper Form 5081 did not\n        receive electronic email reminders to recertify.\n\nSystem accesses were granted prior to a background investigation being\ncompleted\nIRS policy requires that a background investigation must be conducted on employees and\ncontractors at the risk level appropriate to the sensitivity of the position before system access is\ngranted. At a minimum, contractors should not be given access to sensitive IRS systems until\nthey have a completed background investigation or have received interim access approval. The\nbackground investigation provides a level of assurance that the employee or contractor is of good\ncharacter and can be trusted with access to sensitive data.\nDespite this requirement, we found that 7 (2 percent) of 376 contractors were given system\naccess prior to a background investigation being completed or their receiving interim access\napproval. We believe managers and security officers did not carry out their responsibilities of\nverifying whether a background investigation was completed or that the contractor had received\ninterim access approval before granting the contractor system access. All seven contractors\neventually had a completed background investigation.\nWhen contractors are allowed to have access to IRS systems before the completion of system\naccess authorization tasks, the IRS increases its risk of unauthorized access to taxpayer data as\nwell as personally identifiable information.\n\n\n\n6\n The 187 contractor accounts represent those user accounts in our sample where access was granted over 1 year\nprior to system access and were, therefore, subject to annual recertification requirements.\n                                                                                                         Page 7\n\x0c                                Computer System Access Controls\n                               Over Contractors Need to Be Improved\n\n\n\nRecommendations\nThe Chief Technology Officer should:\nRecommendation 4: Provide appropriate communications to all COTRs and managers that\nthe OL5081 system is the primary system used for authorizing and approving requests for any\nsystem access. System access should not be granted until the contractor or employee has\nsuccessfully completed a background investigation and been approved for access through the\nOL5081 system. Managers and COTRs have the primary responsibility to ensure that\ncontractors and employees complete their annual certification requirements within 45 calendar\ndays of notification. If after 45 days have passed and a user has not recertified, the System\nAdministrator should disable and remove the user account and access privileges from the system.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The MITS\n       Cybersecurity organization will coordinate with the Agency-Wide Shared Services\n       Contractor Oversight Group to develop and deliver appropriate communications content\n       to COTRs. In addition, the communication will also address that after 45 calendar days\n       have passed and the user is not recertified, procedures will be implemented to disable and\n       remove or securely incapacitate the user account and access privileges.\nRecommendation 5: Ensure that COTRs understand their obligation to separate contractors\nwho do not adhere to security policies and procedures governing system access within\n45 calendar days. In cases where a COTR does not separate a noncompliant contractor,\nnotification should be provided to the COTR\xe2\x80\x99s manager that the manager needs to direct the\nCOTR to separate the contractor. If the COTR still fails to separate the contractor, the manager\nshould take appropriate action.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The MITS\n       Cybersecurity organization will coordinate with the Agency-Wide Shared Services\n       Contractor Oversight Group to provide appropriate communications to COTRs reminding\n       them of their obligation, in accordance with existing IRS policy, to separate contractors\n       who do not adhere to security policies and procedures governing system access within\n       45 calendar days. This notification will also reinforce taking the appropriate actions\n       when this obligation is not fulfilled.\n\n\n\n\n                                                                                           Page 8\n\x0c                                      Computer System Access Controls\n                                     Over Contractors Need to Be Improved\n\n\n\n                                                                                                Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS established and\nimplemented effective computer access controls over contractors that have been hired to\ndevelop, operate, and maintain IRS computer systems. To accomplish this objective, we:\nI.      Determined whether the IRS is effectively controlling contractor access.\n        A. Identified systems with contractor user accounts and judgmentally selected 7 of\n           65 systems, totaling 376 contractor user accounts, for review based on the number of\n           contractor user accounts and the sensitivity and location of the systems. The seven\n           systems selected for review were: the Excise Files Information Retrieval System in\n           Cincinnati, Ohio; the Electronic Fraud Detection System and the Integrated\n           Collection System in Memphis Tennessee; the Correspondence Imaging System\xe2\x80\x93\n           Development, Correspondence Imaging System\xe2\x80\x93Application, and Correspondence\n           Imaging System\xe2\x80\x93Imaging in Austin, Texas; and the Integrated Data Retrieval System\n           in Atlanta, Georgia, and Austin, Texas.\n        B. Determined whether contractors\xe2\x80\x99 access rights were authorized for each system\n           selected for review. We obtained a download from the OL5081 system of contractor\n           accounts for the systems selected. We verified this information by requesting a\n           download from each system selected and reconciled this information to the Treasury\n           Integration Management Information System1 database for current and separated\n           employees. Those accounts not matched were identified as contractor accounts and\n           reconciled with the OL5081 data.\n        C. Determined whether contractors\xe2\x80\x99 managers recertified annually their continued\n           need-to-know for system access. Only 187 of 376 contractor accounts represented\n           those user accounts where access was granted over 1 year from system access and\n           were subject to recertification requirements.\n        D. Determined whether contractors received the proper level of background\n           investigation prior to system access.\n        E. Reviewed contractor account information to identify periods of inactivity.\n        F. Determined whether contractors have a continued need-to-know for system access.\n\n1\n An official automated personnel and payroll system for storing and tracking all employee personnel and payroll\ndata. It is outsourced to the United States Department of Agriculture National Finance Center and managed by the\nDepartment of the Treasury.\n                                                                                                          Page 9\n\x0c                                        Computer System Access Controls\n                                       Over Contractors Need to Be Improved\n\n\n\n         G. Determined whether developers have access to live data and production systems.\n         H. Determined the causes for any conditions identified above.\n         I. Reviewed audit trails 2 for fraud indicators and trends.\nII.      Determine whether contractors are complying with IRS security policies and procedures.\n         A. Identified applicable security policies and procedures.\n         B. Determined whether contractors violated security policies and procedures.\n         C. Determined the causes for contractors not complying with IRS policies and\n            procedures for handling sensitive IRS data.\n         D. Assessed the effect of the inadequate security controls identified above.\n\n\n\n\n2\n  An audit trail is a chronological record of activities that allow for the reconstruction, review, and examination of a\ntransaction from inception to final results. Audit trails can be used to detect unauthorized accesses to computer\nnetworks.\n                                                                                                               Page 10\n\x0c                               Computer System Access Controls\n                              Over Contractors Need to Be Improved\n\n\n\n                                                                               Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services)\nKent Sagara, Acting Director\nJody Kitazono, Acting Audit Manager\nLouis Lee, Lead Auditor\nAlan Beber, Senior Auditor\nMyron Gulley, Senior Auditor\nAbraham Millado, Senior Auditor\nLarry Reimer, Senior Auditor\nStasha Smith, Senior Auditor\n\n\n\n\n                                                                                       Page 11\n\x0c                              Computer System Access Controls\n                             Over Contractors Need to Be Improved\n\n\n\n                                                                    Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDirector, Stakeholder Management Division OS:CTO:SM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Chief Technology Officer OS:CTO\n\n\n\n\n                                                                          Page 12\n\x0c            Computer System Access Controls\n           Over Contractors Need to Be Improved\n\n\n\n                                                  Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                       Page 13\n\x0c Computer System Access Controls\nOver Contractors Need to Be Improved\n\n\n\n\n                                       Page 14\n\x0c Computer System Access Controls\nOver Contractors Need to Be Improved\n\n\n\n\n                                       Page 15\n\x0c Computer System Access Controls\nOver Contractors Need to Be Improved\n\n\n\n\n                                       Page 16\n\x0c"